Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Privacy Security The Media IT

Memo Details Gawker Security Strategy 76

Posted by Soulskill
from the barn-doors-and-horses dept.
Trailrunner7 writes "After a hack of systems belonging to online publishing giant Gawker Media that yielded more than one million passwords, the online media company's chief technology officer has announced new defense strategies aimed at placating their users and preventing further humiliating data breaches. Thomas Plunkett issued a company-wide memo on Friday that lays out the new security measures and suggests the company overlooked security concerns in the rush to develop new features."
This discussion has been archived. No new comments can be posted.

Memo Details Gawker Security Strategy

Comments Filter:
  • by Anonymous Coward on Monday December 20, 2010 @08:06PM (#34623620)

    I read it, but nowhere it mentions not being douchebags. Not gonna work.

    • by PatPending (953482) on Monday December 20, 2010 @08:22PM (#34623742)
      Plunkett should be sacked because he is ultimately responsible for his team.
      • Plunkett should be sacked because he is ultimately responsible for his team.

        Right now Gawker needs him because he (probably) knows more about their systems than anyone. I'm sure in time there will be an announcement that he's decided to resign to spend more time with his family.

        • by c0lo (1497653)

          Plunkett should be sacked because he is ultimately responsible for his team.

          Right now Gawker needs him because he (probably) knows more about their systems than anyone.

          Based only on the info published by the memo, he doesn't know too much... but is still only a memo.

    • Re:Not gonna work.. (Score:5, Informative)

      by E IS mC(Square) (721736) on Monday December 20, 2010 @08:30PM (#34623802) Journal

      * That douchbag Prank at CES (http://gizmodo.com/343348/confessions-the-meanest-thing-gizmodo-did-at-ces)
      * Then Brian Lam being complete ass (http://gizmodo.com/303223/halo-3-swag-rebagging-plus-apology)
      * Classy!! "if you're a twerpy little internet chump", " Especially not when we own the fucking podium." - (http://gizmodo.com/5687692/you-write-bias-journalism-and-i-read-derp)
      * Adam Frucci's post on telling off all Apple haters to go fuck themselves - can't find the origina post (which was modified few times when it backfired)
      * Banning any critical commentator (http://gizmodo.com/tag/phantomzone)
      * Being complete douch for the iphone prototype thingy and getting banged in the ass by Jesus Steve Jobs himself
      * Too much hurt? Wow! (http://gizmodo.com/5461485/ipad-snivelers-put-up-or-shut-up)
      * Banning users, creating fake ones, deliberately dissing Nokia and it's users (http://play-this.org/2010/10/nokia-uses-social-pr-tactics-to-battle-gizmodo/)

      The list is endless..

  • by BitHive (578094) on Monday December 20, 2010 @08:19PM (#34623724) Homepage

    I've been dying to know whether the no-name CTO of some joke of a blog franchise has had any thoughts since his incompetence was made public.

    I, for one, will be eagerly perusing his recommendations to see if there's anything I've missed.

  • ...Don't talk about the Gawker Media Strategy...
  • by MrQuacker (1938262) on Monday December 20, 2010 @08:35PM (#34623846)
    Their whole strategy so far has been to blame the users: "Its not Gawkers fault your passwords are so weak."
    • Their whole strategy so far has been to blame the users: "Its not Gawkers fault your passwords are so weak."

      Which is both reprehensible of them and false. Their poor choice of algorithm literally truncated my sixteen character password to an eight character one. When I logged in to change mine I did so with just the front half.

      • Both Lifehacker and Gizmodo have been running nothing but security stories since this happened. And they all have the theme of blaming users for having weak passwords.
    • While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone. And they certainly haven't reprimanded their users for 'weak' passwords. The truth of the matter is that users who had passwords that were unique to their Gawker account (a practice we all know is the smart way to go, right?) only had to
      • by Anonymous Coward

        "The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack" -- in a way that is not a lie and not critizing their users, but it does give the impression that the users actually had a choice to secure their account. Reality is that with gawkers password scheme that was not possible.

      • by Jawnn (445279)

        While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone.

        This is the same bullshit, "We can't actually say this, but we will hint at, imply, and suggest it in every possible way until you believe it" strategy that Fox News has mastered so well. The plain fact, of course, is that Gawker is to blame for the breach of their users' passwords, weak and strong alike. They want desperately to have those users start thinking along different lines and sadly, it appears to be working.

      • by cprincipe (100684)

        Except for the fact that many of the other sites/services for which I use my email address have gone into the leaked torrent, found my email address, and locked my account and forced me to change my password, even though I haven't used the same password amongst the sites. I've spent the last week getting locked out of various places and having to come up with all new passwords

  • by pongo000 (97357) on Monday December 20, 2010 @08:44PM (#34623930)

    ...no one has heard of!

    Seriously, was Gawker on anyone /.ers' radar before this news broke? Or am I the only one who never leaves the cave?

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Posting anonymously because my email was in the leaked info.

      Lifehacker has some useful tips; Linux, Mac and Windows. Including their mobile variants and smartphones.

      Gizmodo is another, which I used to read often but I got sick of reading so many commercials (that's the idea of the site, they didn't do anything wrong).

      Give them a look over. At the bottom of Lifehacker.com pages there are links to the other sites (fleshbot.com is missing, maybe because it's NSFW).
      • imo, engadget is much better than gizmodo. though i do find useful lifehacker page when searching for specific software.

    • by MoonBuggy (611105) on Monday December 20, 2010 @09:11PM (#34624102) Journal

      They are a giant precisely because they are the force behind a fairly diverse range of sites, all of which are big names in their respective fields. You may not have heard the name 'Gawker Media', and I don't expect valleywag or Jezebel to come up on most Slashdotters' daily rotation, but Gizmodo gets linked here (either in stories or comments) fairly regularly.

    • by PhrostyMcByte (589271) <phrosty@gmail.com> on Monday December 20, 2010 @09:40PM (#34624230) Homepage

      There's a good chance you've been to one of their sites before. Gizmodo, Kotaku, Lifehacker, and io9 are their bigger ones I can recall -- I'm sure there are others. I personally read Gizmodo and io9 quite often, though I've never made an account with them.

  • You don't say!

    Our development efforts have been focused on new product while committing relatively little time to reviewing past work.

    Software engineers, stop me if you've heard this one: "Don't worry about bugs or security holes! Just keep shoveling features in and ship! Audits? Code reviews?? Don't have time--gotta ship ship ship!"

  • by 140Mandak262Jamuna (970587) on Monday December 20, 2010 @08:50PM (#34623966) Journal

    In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords.

    They are still blaming bugs in code. Pretending to be mistakes made by low level programming flunkies. The problem was using an unsalted hash that allowed them to do a simple dictionary attack. Further even the top guys were using very simple passwords. Used the same password for multiple accounts. Continued to leave other accounts and usernames unlocked even after knowing one account using that password has been compromised.

    No. The real problem was that the managers and the top dogs drawing top salaries were clueless idiots. Pretending that it was some kind of stupid bug left in code by some low level programmer shows how disconnected these bozos are from reality.

    • Did you read the readmes in the torrent? The attackers claim that they took DAYS to download those passwords. That traffic didn't look unusual to anyone? Should any system anywhere that isn't either migrating that database or backing it up be looking at more than a couple of passwords in any short span of time? Regardless, this didn't draw any attention. Bug or not, there's not really any excuse here.
    • If their claims to be consulting an "independent security firm" are true, then it appears they also realize they're incompetent and are bringing in outside help to school them on proper security.

      We've learned many lessons from this experience, both as a tech team, as a company, and as individuals. If there's one lesson nearly all of us learned, it's that we can and must be smarter with passwords. Lifehacker is a great resource for password advice (and there are many others). I suggest you start here: http://lifehacker.com/184773/geek-to-live [lifehacker.com]-choose-and-remember-great-passwords.

      It seems they're at least beginning to learn, though.

      They also mention that they're going to let users use OAuth to log in. It's not clear if they'll be moving all accounts to OAuth, or if they're going to keep using unsalted crypt() for users who want to keep their account local.

    • by Dhalka226 (559740)

      I'm not disagreeing with you that there were multiple failures at multiple levels of the management chain.

      But wouldn't using an unsalted hash vulnerable to dictionary attacks be the mistake of "low-level programming flunkies?" Why should any management-level people know what the hell a hash or a salt is, much less be micromanaging their programmers to that extent? Isn't that why you hire coders in the first place -- for their expertise in doing things the right way?

      • The problem usually comes down to this:

        A) Pay a decent, well reputable, knowledgeable coder $$$$ for his time to develop a website.

        or

        B) Pay some outsourced company $$ for their time to develop a website.

        Most management usually goes for B. It generally makes them "look better" because it can "get the job done", they can "save money". Security is an afterthought to almost all management levels. The only reason that Gawker's management is even anything close to concerned now is because it's going to cut into a
        • by mlts (1038732) *

          I have heard this manta repeatedly endlessly by PHBs, "security has no ROI."

          With an attitude like this, it gets surprising that these breaches are not even more commonplace. Of course, there will be no long term consequences for the poor security, except what happens to the users.

          I hate calling for regulation [1], but it may take governments stepping in and people going to jail before businesses actually pay more than token attention to security.

          Defense in depth -- now that is a sensible philosophy. This

  • by Anonymous Coward
    From TFA:

    "The tech team should have been better prepared, committed more time to perform thorough audits, and grown our team’s technical expertise to meet our specific business needs."

    We have the exact same problem with an internet-connected application where I work - plaintext passwords. All of the developers have pointed out that it's a problem to business, but they think it's a feature because it allows them to read passwords back to customers who've lost them, or send them a welcome e-mail with their password. No matter how much we whinge and bitch that it's wrong and you can send users new passwords with hashed or encrypted password systems they won't budge and refuse to sp

  • Is part of the strategy to force users to change their password every month so they can write it down or reuse it and make it just secure enough to pass validation? This kind of crap is happening at work and forces me to use crappy passwords! Thanks security consultants!
  • secure data within their network. Every solution he proposed uses and outside resource. Move away from storing all data? Use outside authentication? One time accounts? (this one really got me)

    Are they that bad at the basics of security? Someone please tell me this is not the norm.

  • from the memo [poynter.org]:

    Disposable accounts are similar to the service a pre-paid phone offers to drug dealers (a disposable, untraceable communication device).

    I wonder how did he come across this service? I mean, even if you think doing drugs is ok it's a questionable example to use in a corporate memo.

  • I never heard of Gawker, but I received email from them telling me that my account was compromised. I just went to their site, entered my email and asked for a password reset. I got a reply with a username I don't recognize. When I logged in with the id and password, I got an error message that said I had never "verified" my account.

      I'd say they have some serious problems that go beyond the password hack.

    The premise of the site seems pretty sketchy.

    • Actually, ditto. Also, I've read Lifehacker for some time. It isn't exactly like SunTzuWarmaster is a username that has been ever taken... why would Gawker, of all places, have a username that I have never heard of?

  • by J05H (5625)

    They really screwed the pooch. I'll never go to their sites again, this is basic info-sec that should have been simple and unobtrusive. They failed.

  • by rudy_wayne (414635) on Monday December 20, 2010 @11:51PM (#34624958)

    It turns out that Gawker has a "Chief Technology Officer". However, if you read this article from Forbes [forbes.com], it makes you wonder what this guy actually did, other than show up and collect a paycheck.

  • by Loki_666 (824073)

    Here is a copy of the memo that was sent out highlighting the new security protocols:

    To: All Employees

    New Security Protocols

    1) Do not write down your passwords on post-it notes and then attach them to your monitor.

    Thank you for your cooperation.

    • by chimpo13 (471212)

      It would've been more secure for employees to write them down. Then they only have to worry about their spouse, kids, plumber and people who get to see the house office. If they have a real office, it's still limited to employees and finding out who the Evil One is after something like this shouldn't be that hard. Writing down passwords on post-its isn't that big of a problem.

  • I may be wrong, but it appears that when you try to delete your account, they don't actually get rid of the information, they just make it inaccessible to you. I guess they'd prefer not to offend all the advertisers they whored your personal information out to.

I have never seen anything fill up a vacuum so fast and still suck. -- Rob Pike, on X.

Working...